Before the U.S. Health Insurance Portability and Accounting Act (HIPAA) was signed into law in 1996, Capital District Physicians' Health Plan (CDPHP) was determined to be fully compliant even before the mandatory deadline. Much of the compliance burden fell to Kevin Colwell, a change-management specialist at the Albany, N.Y., health insurer.

Colwell soon found that HIPAA's stringent rules surrounding patient information complicated simple actions that had always seemed straightforward. For example, when computer users call the help desk, it seems obvious that their phone numbers must be captured for call-back purposes. But HIPAA restricts access to such numbers, as well as how the information is subsequently safeguarded.

The plot thickens when you consider that CDPHP's 750 employees are also clients of the insurer. So, when the computer users buzzed the help desk, how was the company to know whether they were calling as employees or as customers? Factor in remote workers and physicians (who might also be customers themselves), and the regulatory situation gets more complex. "We needed to protect all this communication," Colwell says. "But we also need to communicate."

Global Trend

The challenges faced by CDPHP are familiar to businesses everywhere and multiplied many times over by the latest regulations. All over the world, regulatory agencies are tightening business rules with new regulations. As a result, global enterprises now must comply with everything from regional laws that have an enormous impact (such as California's Senate Bill 1386, which compels organizations doing business in that state to contact anybody whose personal information may have been compromised -- one university recently notified 380,000 people in its database) to the growing likelihood of class-action lawsuits in Far East countries that have never before allowed such actions.

The details of the regulations vary, but what they all have in common is scrutiny over corporate governance, with an eye toward protecting consumers and investors. Thus, enterprises must track and save digital information more closely than ever before. This establishes compliance as both an IT and a business issue. And addressed properly, strategies for compliance help IT mature and move toward best practices that are good for both IT and business. Leading enterprises are responding with systems and governance processes that ensure quick response to any new rule, whether it originates in Sacramento or Singapore.

The increased government and regulatory oversight of corporate activity is a new cost of doing business, and it can be a high one at that. When you examine that expense, look at a sampling of the regulations facing business today and explore the components common to many of those regulations, the need to form a proactive compliance strategy then takes on new urgency. To meet these objectives, there are changes enterprises can make to their governance processes and technology systems to not only respond rapidly when new regulations arise, but also achieve competitive advantage and IT efficiencies while doing so.

The Cost of Compliance

To this point, regulatory compliance has been an expensive task -- but that's partly due to the newness of the concept (where information is concerned, that is). Businesses tackling HIPAA or UK Data Protection Act 1998 deadlines have generally done so by throwing together all-hands-on-deck teams, pulling key IT and business staffers away from their daily jobs, and thus leaving vital gaps elsewhere. In general, enterprises are at the steep portion of the compliance learning curve.

This underscores the need to devise a comprehensive, repeatable compliance-management process. Few companies can afford to scramble a team of specialists each time a new regulation looms. It makes sense to instead create a proactive policy that can be adjusted for the specifics of any regulation.

How much money will a proactive approach save in the long run? It's difficult to pin down, but the costs of Section 404 of the Sarbanes- Oxley Act serve as an example. Section 404 is the mandate that U.S. public companies' annual reports include a statement of management's responsibility to establish and maintain adequate internal controls, assess financial reporting, and disclose any material weaknesses in the company's internal-controls structure.

In a survey of 321 U.S. public companies, industry group Financial Executives International found that for businesses whose revenue tops $5 billion, the average cost of Section 404 compliance will be $4.6 million, which includes 35,000 hours of internal manpower; $1.3 million for consulting and software; and $1.5 million in new audit fees.

Another survey, conducted by the Business Roundtable, polled 150 CEOs at large U.S. companies. Half said their compliance costs would range from $1 million to $5 million; some estimates topped $10 million.

Where Sarbanes-Oxley is concerned, "Governance and compliance are no different than most other business issues," said Brian Wood, a Gartner analyst, at the Gartner Symposium/ITxpo 2004. "A compliance architecture doesn't necessarily require new software investments and does not need to be implemented across the enterprise in a single step. Most organizations will find that they already have many of the software tools they need." The research firm says the same is true of Basel II and other regulations.

Gartner analysts offered other reassuring words at this event, pointing out that any enterprise that has in place items including solid security and business continuity planning and a document management system possesses the foundations for a compliance architecture.

By establishing such an architecture, enterprises will reduce the cost of regulatory compliance because it "eliminates requirements to hire external auditors or consultants every time a new law appears," says Gartner's Rich Mogull.

John Hagerty, a compliance expert at Boston-based AMR Research, agrees. "If you address each new regulation in isolation, you'll overpay," Hagerty says. In February, he authored a report, "Planning for a Sustainable Active Compliance Architecture," that called regulatory compliance "a strategic objective, not just a collection of tactical projects."

Common Threads

"All legal, regulatory and industry-driven directives are vast in scope and effect," writes AMR's Hagerty. "Nonetheless, many share business requirements, allowing for a common approach and management." He adds that "virtually all compliance mandates are driven from rules, policy, and procedure." Common requirements include the following:

These common threads add up to a compelling argument for methodologies that  tie technology resources to business priorities.

Taking the Lead

Today, where regulations are concerned, it's vital to become proactive. With the right processes and tools in place, an enterprise can react quickly whenever and wherever a new set of rules springs up. In and of itself, this approach can provide competitive advantage, because you can focus on business while your competitor is still scrambling to comply with the latest regulations. Moreover, monitoring information for regulatory purposes also improves a company's knowledge about its customers, trading partners and competitive environment.

AIIM International (the Association for Information and Image Management), a leading computer industry group, has recently published a book on regulatory compliance that attempts to lay out a step-by-step program for businesses. Information Nation: Seven Keys to Information Management Compliance, by  Randolph Kahn and Barclay Blair (March 2004), details the following critical  compliance factors:

John Mancini, president of AIIM, says, "We represent enterprises all over the world. As we discuss today's regulatory environment with them, we urge them to not just think of compliance as a thing they have to do in response to new laws; if you think in those terms, you're too late. You're just knee-jerking."

Rather, Mancini says, businesses must think in broad-based terms. "Government regulations, legal requirements, process management, business requirements -- this is all part of the big picture, and it's all about treating information with the same demanding tolerances you treat anything else in your organization."

Wide World of Regulations

Some of the New Laws Facing Global Businesses

Increased regulation surrounding business data is sweeping the globe, even in nations previously regarded as laissez-faire. Here's a rundown of just some of today's international regulatory efforts.

IAS/IFRS. All European Union-listed companies must prepare consolidated accounts in accordance with International Financial Reporting Standards (IFRS) or International Accounting Standards (IAS) beginning with their first reporting period after Jan. 1, 2005. The sweeping package of regulations will affect about 7,000 European enterprises more or less simultaneously, so there's already a shortage of expertise. The goal is a standardized corporate financial statement that can be readily understood by potential investors anywhere in Europe.

BASEL II. Due to be in place by 2006, Basel II (formally known as the New Basel Capital Accord) is an international set of regulations being spearheaded by the Bank for International Settlements. Central banks and regulatory authorities in the United States, Japan, Germany and other countries are also major players. In a nutshell, Basel II is intended to paint a more accurate picture of financial institutions' risk management.

DATA PROTECTION ACT 1998. Though this UK law took effect in 2000, its ramifications are only now becoming clear to global businesses. The act established rules for processing UK citizens' personal data. It also tightly controls the transfer of UK employee, customer and subscriber data to U.S. companies.

LAUNCH OF SINGAPORE'S ACRA. This is not a regulation per se, but rather a new regulatory agency -- the Accounting and Corporate Regulatory Authority -- in Singapore, which has a history of being extremely business-friendly. "ACRA will combine the function of monitoring and ensuring that companies comply with the prescribed accounting standards," said Lim Hng Kiang, Singapore's second minister for finance, at the May announcement of ACRA's formation. Singapore, along with other Asian nations, is tightening accounting and data-gathering rules in response to reduced investor confidence.